The subject matter of my previous blog post is now front page news, and Apple has now responded. Time for a follow-up with some additional thoughts. This entry questions the Password Policy for Apple ID and asks whether it may be responsible for past and future attempts to manipulate app ranking in the App store.
A Note on Media Alignment
It is worth noting that we’re beginning to see more media outlets align with or against Apple. From my frequent review of popular mobile news coverage, it has become clear that Gizmodo and PC World do their best to highlight gaffes and problems in the iTunes ecosystem or just about iAnything. Meanwhile a blog like MacRumors seeks to downplay news that might be viewed as concerning or add to the distress from iphone4antennaegate. (I just made that up).
While the title of these publications alone should serve as a strong indicator, keeping track is important. The Clintons are well known for keeping their loyalty lists in order and it is entirely reasonable to assume Apple is doing the same. For the record, I run an iOS app development group and generally advocate for the iOS platform.
The Recent Gaming of the App Store
Back to the issue at hand, MacRumors published a piece titled, “Reports of ‘App Store Hacked’ Greatly Exaggerated” that sought to downplay concerns related to the book category being hijacked by a rogue developer for over four days. Indeed, the book category is small, however any evidence that challenges the fairness of the App store only adds to the mindset that not all developers get a fair shot.
When news like this is published it suggests that as an app developer, you not only must court and respond to any marketing opportunities provided by Apple (few and far between) but also worry about your app competing on its own merits in the top 50 ranking.
Apple ID Password Policy
Currently the only requirement for a password that may be used to access iTunes, MobileMe, the iOS developer portal and more is that it be 6 characters in length. As far as I can tell, there are no other requirements and no common passwords are blocked. (I briefly changed my password to ‘password’ to test this.)
To quote Wikipedia’s entry, “Password policies are usually a tradeoff between theoretical security and the practicalities of human behavior.” In the case of the iTunes music store the practicalities of human behavior are that the general public is really bad at remembering passwords, especially if they require numbers or upper case letters.
From Apple’s perspective, when someone forgets their password they can not buy virtual goods, whether that be music, videos or apps. It is my belief that Apple forces you to re-enter your password when ‘buying’ free applications or upgrading previous applications specifically to make sure you always know your password just in case you decide you want to buy something.
Given the number of accounts out there linked directly to credit cards, it is fair to assume that if Apple were to implement a stronger password policy it would have a negative effect on sales. And, at least for the moment, the number of negative publicity associated with compromised accounts and their use to game the app store does not outweigh this figure.
Apple ID password requirements appear to have been unchanged for years, as hack reports have been reported for some time. What is new is the app store gaming. No one cares about others’ poor password choices until they start affecting their own bottom line.